Cyber security is far more than investing in hardware and software. First and foremost, cyber security is a business issue. This means that top management is accountable for ensuring that its organisation’s cyber security strategy meets business objectives and is adopted as a strategic risk. Discussions of cyber risk at board level should include identifying which risks to avoid, accept, mitigate or transfer (such as through cyber insurance), as well as reviewing specific plans associated with each approach.
The three fundamental domains of an effective cyber security strategy are: people, processes and technology. This page explains in further detail how those domains are connected.
A cohesive approach to cyber security
Organisations that fail to understand the interdependencies between people, processes and technology won’t withstand the ever-growing onslaught of cyber attacks. For example, the deployment of anti-malware software requires skill and has to be managed by a process.
Furthermore, just trying to prevent an attack is no longer a solution. Organisations need to be prepared for rebuffing, responding to, and recovering from a range of possible attacks. This can only be achieved if people, processes and technology are taken into account.
The ‘human factor’ has to be addressed at two key levels:
Non-technical staff must have an up-to-date awareness of their role in preventing and reducing cyber threats.
When carried out effectively, a staff awareness programme will help companies identify potential security problems, help staff understand the consequences of poor information security, ensure a consistent roll-out of procedures, as well as improve communication between different teams and different levels of the company.
View available security staff awareness training resources here.
Technical staff must have broad, up-to-date cyber security skills, competency and qualifications.
Every organisation needs specialists to plan and execute the more complex activities required to deliver an effective cyber security strategy. Poorly trained security management staff may mean inadequate risk management and the application of cyber security controls that simply do not work. In addition, an organisation’s ability to respond to and recover from data breaches will also depend on the competency of technical staff.
View available cyber security qualifications and training courses, delivered face-to-face or Live Online here.
Efficient processes define and explain how the many organisational activities, procedures, roles and documentation are used to mitigate the risks to the organisation’s information, and are the key to the implementation of an effective cyber security strategy.
ISO 27001 delivers a complete set of integrated cyber security processes based on the implementation of an information security management system (ISMS).
ISO 27001 also defines a requirement for continual assessment and improvement. This is facilitated by processes that ensure that the risks to an organisation are continually monitored and that appropriate mitigating controls are improved or implemented.
- Documentation toolkits provide ready-made templates and guidance for the creation of policies, procedures, work instructions, roles and improvement methodology according to the ISO 27001 framework.
- The Cyber Essentials scheme (CES ) is a UK Government-backed and industry-supported scheme to guide businesses in protecting themselves against cyber threats, and can help to prevent 80% of cyber attacks.
- ISO 27001 DIY consultancy packages provide everything needed to implement ISO 27001 without any of the usual associated complexities and costs.
Technology is a key element in achieving effective cyber security for any organisation. An effective cyber security programme requires the identification of cyber risks and the selection of appropriate measures (controls) to prevent or mitigate the impact of these risks.
The ISO27001 standard provides guidance on both risk management and the type of controls that can be used to mitigate cyber risks.
The 20 Critical Security Controls are specifically technical cyber security controls. Each of the 20 listed critical controls is supported by detailed implementation, automation, measurement and test/audit guidance, which reflects a consensus of multiple security experts on the most effective ways to mitigate the specific attacks that these controls are designed to deal with.
The UK Government’s Ten Steps to Cyber Security framework provides a summary of 10 key technical controls that should form part of an effective cyber security strategy, and underscore the role of people, processes and technology in information security. These are:
- An information risk management regime endorsed by the organisational leadership
- Secure home and mobile working
- User education and awareness
- User privilege management
- Removable media controls
- Activity monitoring
- Secure configurations
- Malware protection
- Network security
- Incident management
Conducting a cyber security risk assessment
Any robust cyber security regime will be based upon a comprehensive cyber risk assessment. As part of an information security management system, ISO 27001 requires that the risk environment be continually monitored and reviewed in order to detect any changes in the context of the organisation, and to maintain an overview of the complete risk management process.
- A Cyber health check is a good starting point when embarking on a cyber security improvement programme, and will enable you to identify your weakest security areas and take appropriate measures to mitigate those risks.
- Penetration testing (or pen testing ) is the process of testing your applications for vulnerabilities and assessing whether hackers could do harm to your organisation. Penetration tests are an important part of the process of identifying, measuring and communicating your cyber risks so that smart risk mitigation strategies can be implemented. With the results of a successful pen test, you can show that the investments you are making have actual benefits that will support your organisation’s overall business objectives.
- vsRisk™ reduces the number of hours spent conducting comprehensive risk assessments by providing a simple, smart and streamlined solution. Fully compliant with ISO 27001:2013, this widely applicable risk assessment tool provides the framework and resources to complete an information security risk assessment quickly and easily.